Understanding And Using Custom Queries

Similar documents
Host and Service Status pages provide a Network Traffic Analysis tab

This documentation explains features that are located in the Dashboards menu, this is located on the top navigation bar.

Understanding The User Macros Component

This document is intended for use by Nagios Administrators that want to use Slack for notifications.

Using SSL/TLS with Active Directory / LDAP

Using The Core Config Manager For Service Management

This Reporting Fragment will be sown on the Business Entity Details screen within OpenPages.

Purpose. Target Audience. Install SNMP On The Remote Linux Machine. Nagios XI. Monitoring Linux Using SNMP

In addition to this document, Nagios administrators should be familiar with the following documentation: Nagios XI Users and Contacts

Pathway Net User s Guide

Nagios XI Using The Core Config Manager For Host Management

How to Configure And Text Notifications

Simply Accounting Intelligence Tips and Tricks Booklet Vol. 1

PowerScheduler Course Tally Worksheet instructions.

The main differences with other open source reporting solutions such as JasperReports or mondrian are:

FrontPage Help Center. Topic: FrontPage Basics

Understanding And Using Configuration Wizards In Nagios XI. This document describes how to use Configuration Wizards in Nagios XI.

M I C R O S O F T A C C E S S : P A R T 2 G E T T I N G I N F O R M A T I O N O U T O F Y O U R D A T A

This document is intended for use by Nagios Administrators that want to monitor SNMP devices using an SNMP Walk to discover it's available objects.

Lesson 1: Creating and formatting an Answers analysis

Explore metrics in the ExtraHop system to investigate DNS failures

Formulas, LookUp Tables and PivotTables Prepared for Aero Controlex

Microsoft Excel Microsoft Excel

Navigate to Cognos Cognos Analytics supports all browsers with the exception of Microsoft Edge.

accordingly. This is managed through our Other content feature.

OBIEE. Oracle Business Intelligence Enterprise Edition. Rensselaer Business Intelligence Finance Author Training

Nagios XI Host and Service Details Overview

Authenticating and Importing Users with AD and LDAP

MAS 90/200 Intelligence Tips and Tricks Booklet Vol. 1

Become strong in Excel (2.0) - 5 Tips To Rock A Spreadsheet!

UAccess ANALYTICS Next Steps: Working with Bins, Groups, and Calculated Items: Combining Data Your Way

Purpose. Target Audience. Windows Machine Requirements. Windows Server Core (No Desktop) Nagios XI. Monitoring Windows Using WMI

Backing Up And Restoring Nagios Log Server. This document describes how to backup and restore a Nagios Log Server cluster.

Using vrealize Log Insight

TeraVM Feature Guide. Network validation for the Internet of Things (IoT)

Monitoring Apache Tomcat Servers With Nagios XI

Confluence User Training Guide

HOW TO USE THE CONTENT MANAGEMENT SYSTEM (CMS) TABLE OF CONTENTS

Version 1.6. UDW+ Quick Start Guide to Functionality. Program Services Office & Decision Support Group

Using vrealize Log Insight. April 12, 2018 vrealize Log Insight 4.6

This document covers how to manage fused servers in Nagios Fusion.

GN4: Section 3 How to enter, authorise and validate data

ODBC Setup MS Access 2007 Overview Microsoft Access 2007 can be utilized to create ODBC connections. This page will show you the steps to create an

DOING MORE WITH EXCEL: MICROSOFT OFFICE 2013

Top Producer 7i Tips & Tricks Volume 1

VAT/GST Analytics by Deloitte User Guide August 2017

Excel 2010: Getting Started with Excel

SharePoint 2013 Site Owner

What is Data Flow Diagram (DFD)? How to Draw DFD? Written Date : January 27, 2012

The following instructions cover how to edit an existing report in IBM Cognos Analytics.

Administrative Training Mura CMS Version 5.6

This job aid details the process for reviewing GL Balances with the Account Inspector.

1.0 Overview For content management, Joomla divides into some basic components: the Article

If you have questions or need assistance in any way, please contact MicroEdge Technical Support.

Basic Moodle skills for Teachers

Chrome. Browsing in Chrome. The Omnibox. Video: Browsing in Chrome. To use the Omnibox: Omnibox suggestion icons. Page 1

Google Analytics: Part 3

Cascade User Guide. Introduction. Key System Features. User Interface

SharePoint 2010 Site Owner s Manual by Yvonne M. Harryman

Using vrealize Log Insight. 08-SEP-2017 vrealize Log Insight 4.5

Getting Around. Welcome Quest. My Fundraising Tools

Languages for Software-Defined Networks

Formulas and Functions

Lesson 3 Transcript: Part 1 of 2 - Tools & Scripting

SAS BI Dashboard 3.1. User s Guide Second Edition

Logging in. To start editing your committee or group s web page, you will first need to log in. To log in, go to this web page:

Top 15 Excel Tutorials

Netvibes A field guide for missions, posts and IRCs

Steps: 1. Log in to the Dmitri application through the following website URL, as appropriate:

PowerPoint Introduction. Video: Slide Basics. Understanding slides and slide layouts. Slide Basics

DocumentDirect for Windows (DDW) Current version 4.4 (white screen)

Senior Executive. Training Guide

Tips and Tricks Alchemex for MYOB Account Right

Data Explorer: User Guide 1. Data Explorer User Guide

The manual can also be viewed directly on-line:

How to use the Sales Based Availability Dashboard

SedonaOffice Users Conference. San Francisco, CA January 21 24, Sedona . Presented by: Jim Mayes Carolyn Johnson

Excel Basics Rice Digital Media Commons Guide Written for Microsoft Excel 2010 Windows Edition by Eric Miller

WORKSHOP: Using the Health Survey for England, 2014

1. Getting Started Navigating the Gateway Configuring chambers questions Advertising Application Administration 13

Chapter 2 The SAS Environment

How to use Pivot table macro

Transitioning Teacher Websites

econnect Baccarat User Guide EC7 June 2017

Who should use this manual. Signing into WordPress

Authenticating and Importing Users with AD and LDAP

User Manual. Administrator s guide for mass managing VirtueMart products. using. VM Mass Update 1.0

Joomla! 2.5.x Training Manual

Holy Cross School Laptop Configuration Instructions for Students Grades 5 10 Windows 10 7/11/2017

Click the buttons in the interactive below to learn how to navigate the Access window.

Office 2016 Excel Basics 25 Video/Class Project #37 Excel Basics 25: Power Query (Get & Transform Data) to Convert Bad Data into Proper Data Set

Getting Started with Code Coverage/Eclipse

Click the buttons in the interactive below to learn more about using Mail view in Outlook 2010.

Control Panel software usage guide (v beta)

INFocus Basic Table Reporting

School Census Guidance for COLLECT Users Collection Online Learners, Children & Teachers COLLECT

Post-Shipment Document Upload

Microsoft Excel 2010 Step-by-Step Exercises PivotTables and PivotCharts: Exercise 1

For many people, learning any new computer software can be an anxietyproducing

Manual. Note: This software has only been tested with VF-1 firmware Compatibility with other firmware versions cannot be guaranteed!

Transcription:

Purpose This document describes how to use the full flexibility of Nagios to get the most out of your network flow data. Target Audience Network admins performing forensic analysis on a network's flow data to drill directly to the information they need. Terminology The following terms will be used throughout this document: src - Source dst - Destination srcip - Source IP is the IP Address the traffic originated from dstip - Destination IP is the IP Address the traffic is going to srcport - Source Port is the network port the traffic is transmitted on dstport - Destination Port is the network port the traffic is received on Introduction This documentation will show you how to use Nagios to turn existing flow data into meaningful information. This manipulation will not destroy your data at all, so feel free to experiment, as there is no chance at all that you will break anything. You will need to have an existing source with flow data to be able to follow the examples in this documentation. Page 1 / 14

Performing A Query Click Sources on the top menu and then click one of your sources. Click the Queries tab to bring up the query options. This is where we will be doing the majority of work and explanation in this document, and will most likely be the entry point for any deep-diving you do into the flow data. On this page, you'll see many fields. This section will give a description what each one is for, and how to use it. Aggregate By - This is how the flows will be associated with each other. This field should be a comma delimited list of aggregate values such as dstip, srcip, dstport and srcport. When the flows get aggregated, it groups all like values for that aggregate value together. For instance, if we simply specify dstip for our value, all unique values of dstip will be grouped together. Try it out, type dstip in the Aggregate By field, leave the "Raw Query" field blank and click the Run Query button. The screenshot on the following page is an example of what you might get. Page 2 / 14

You can see that a Chord Diagram is generated, you can click the icon on the diagram to enlarge it. Hovering the mouse on an address in the diagram will highlight the relationship with the other addresses. Underneath is the detailed table of the results from the query. Notice that all the IPs listed are unique. This is because as our query looked through the flow data, it grouped all of the dstip that were the same data, and treated them as one entity, and simply computed a running sum for all unique destination IP's metrics. You can increase the granularity here by adding srcip to the "Aggregate By" field. Try this by changing the Aggregate By field to dstip,srcip and click the Run Query button. This will now treat dstip and srcip as unique entries. Two connections from IP A to IP B will be summed and represented as one, however IP B to IP A will be not be in that same category. Page 3 / 14

The more aggregate values you have, the more unique values show up, so the queries will generally take longer to run the more aggregate values you have. You are not limited to only aggregating by similar values, for example you could have a query like dstip,dstport and get results like the following screenshot. Time Frame - This is where you set the time frame for the query. This section is largely self-explanatory, but you can set either hard date times to search between, or you can set soft date times. Hard date times would be exact times, like from 1:00PM on January 1st until 2:00PM on January 1st. You can also set elapsed time frames, to specify something like 3 hours ago until now. Raw Query - This field is the most powerful tool when querying data. In this field you will enter a query string to sort through the data, and if you have ever used tcpdump before, this section will be familiar. In this query string you can specify quite a few parameters to limit what is shown to you and chain parameters together to isolate exactly what you'd like to see. Page 4 / 14

Let us assume that we would only like to see traffic on port 80. It doesn't matter if its coming from port 80, or if its going to port 80. In our query box you would type: port 80 Here is an example of what that looks like: This shows all dstip,srcip aggregates that are talking on port 80. Now change the Aggregate By field to dstip,srcip,dstport,srcport and click the Run Query button, you will get results like the following. Page 5 / 14

Notice how many pages of entries this returns, 918 pages times 20 entries per page gives us 18,360 entries! If you scroll through them you'll notice they all have port 80 as one of their ports, this is because you are seeing traffic in both directions. If you only want to see when the source port is 80 amend the query to: src port 80 Now the query will be limited to the source port: You can also click any of the hyperlinks in the table of data to drill down further into the query. This will populate the Raw Query field with a new query based on what you clicked on. In the screenshot above this is the Source IP, Destination IP, Source Port and Destination Port columns. Save Query You can save a query to use again at a later stage. Click the Save button to the right of the Raw Query window. You will need to provide a Name and Description. Click the Save Query button to save. Page 6 / 14

Load Query To load a query that you previously saved click the Load button to the right of the Raw Query window. Select a query from the Name list. Click the Load Query button to load it. Delete Query If you want to delete an existing query, click the Delete icon to the right of the Loaded Query field. You will need to click OK on the window that appears to delete the query. Advanced Queries So far you've seen some basic queries. The following sections explain how you can make a query more specific depending on what information you are after. Page 7 / 14

IP / Network A raw query can use an IP address or a network scope. Here is an example of using an IP address: ip 10.25.2.1 Here is an example of using a network scope by using the slash notation: net 10.25.0.0/16 In the screenshots above you can see that the IP address or the network scope being queried appears in either the Source IP or Destination IP columns. Page 8 / 14

Defining Source Or Destination Queries can be prepended by using src or dst to target a specific traffic direction. Here is a net example: src net 10.25.0.0/16 You can see in the screenshot above that all the 10.25.0.0/16 addresses are in the Source IP column. Here is a port example: dst port 80 You can see in the screenshot above that port 80 is only in the Destination Port column. Page 9 / 14

Logic Operator: AND Using the AND operator can allow you to have more granular queries, for example: src ip 10.25.254.50 AND dst port 80 Logic Operator: OR Using the OR operator can allow you to have more flexible queries, for example: src ip 10.25.254.50 OR dst ip 10.25.2.1 Page 10 / 14

Logic Operator: NOT Using the NOT operator can allow you to have queries that exclude data, for example: NOT dst port 53 Metrics You can create queries on the amount of traffic that went through for each flow. dst port 80 AND bytes > 1m You are not limited to < and > operators either, you can use = as well. The query above was for bytes, but you can also use packets and flows. Page 11 / 14

Using Parenthesis To Group Expressions You can add parenthesis to your expression to make it clear how the query will be executed, this allows for more complex queries. Here is a simple example: src ip 2001:44b8:3132:25:10:25:254:50 AND (dst port 80 OR dst port 443) You can see that the example provided results for port 80 OR 443. This was also an example to demonstrate that IPv6 addresses can also be queried. Here is a more complex example: (src ip 10.25.254.50 OR src ip 10.25.14.10 OR src net 2001:44b8:3132:25:0:0:0:0/64) AND (dst port 80 OR dst port 443) AND NOT src ip 2001:44b8:3132:25:10:25:14:52 AND bytes > 10m While a lot more complicated, you can see only one result was returned which can be very useful when interrogating flow data. The first parenthesis targeted two IP addresses or an entire IPv6 subnet (using multiple ORs). The second parenthesis allowed port 80 OR 443. Then two more conditions were defined. Page 12 / 14

Source Groups Queries can also be performed on Source Groups via the Source Groups menu on the navigation bar. Click the desired Source Group and then click the Queries tab. The functionality is the same as for Sources. Managing Queries Queries can be managed via the Queries menu on the navigation bar. You can delete multiple queries by checking the boxes in the left column and then clicking the Delete button. Page 13 / 14

In the Actions column you can Run, Edit and Delete a query. When clicking Run you are prompted to select a Source or Source group that you want to execute the query against. Once you click the Run Query button you will be taken to the Source or Source Group page with the results of the query just executed. Further Reading This documentation covered many of the features available in queries however it did not comprehensively cover all abilities of the query syntax. If you would like to read more please refer to the following link: http://nfdump.sourceforge.net/ Finishing Up This completes the documentation on understanding and using custom queries in Nagios. If you have additional questions or other support related questions, please visit us at our Nagios Support Forums: https://support.nagios.com/forum The Nagios Support Knowledgebase is also a great support resource: https://support.nagios.com/kb Page 14 / 14

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback